W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Plugin data (was Re: Comments on Mixed Content)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Thu, 15 Jan 2015 14:39:47 -0800
Message-ID: <54B841B3.5030207@mozilla.com>
To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Pulling out the section on plugin data.  Right now, the spec treats 
subrequests initiated by plugins as optionally blockable.  Such requests 
might be for script subresources or they might be for image 
subresources, but either way they are categorized as optionally 
blockable.  Since the plugin is the one requesting the resource, it is 
hard for the user agent to tell if the request is for content that 
should be blockable[1].  In order to avoid blocking optionally blockable 
content, user agents have categorized this as optionally blockable even 
though some of the content warrants blocking.

As Mike has suggested below, should we add requirements for plugins?  We 
could add text that says plugins must not request blockable content in a 
secure context.

~Tanvi
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=836352

On 1/13/15 10:51 PM, Mike West wrote:
>
>     > It's entirely possible that other implementations will need to rely on the plugin itself to do
>     blocking (as Chrome and other UAs do with Flash and Incognito mode
>     today).
>
>     Because it is difficult (at least for us ) to understand what a
>     plugin is doing, we have to rely on the plugin to do the right
>     thing.  Our proposed tact would be users are responsible for the
>     plugins installed and user agents should not be considered out of
>     compliance because of user installed plugins. Sound OK?
>
>
> I'd suggest that the spec should create requirements for plugin 
> behavior, just as the CSP spec does. It's likely that we won't be able 
> to hit 100% conformance, but we should be very clear about the 
> direction we're pushing towards.
>
> Regarding the user agent's conformance, I'd suggest that it would be 
> (for example) Adobe's responsibility to provide a Flash plugin that 
> meets the spec's requirements, and we wouldn't ding IE for not meeting 
> the requirement.
Received on Thursday, 15 January 2015 22:40:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC